diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 2458d0c93..70636d9fa 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -5,6 +5,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's status: experimental author: Bhabesh Raj date: 2021/05/06 +modified: 2021/05/12 level: critical falsepositives: - None @@ -26,7 +27,7 @@ detection: --- logsource: product: windows - service: file_event + category: file_event detection: selection: TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..a3dc360ed 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -11,7 +12,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'system.management.automation' diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml index d5fa64cb8..ba7f3d7d4 100644 --- a/rules/windows/image_load/sysmon_susp_python_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 +modified: 2021/05/12 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'Python Core' diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index eca94458b..831fefe48 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2020/05/08/adfind-recon/ author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 -modified: 2020/10/11 +modified: 2021/05/12 tags: - attack.discovery - attack.t1018 @@ -17,7 +17,7 @@ tags: - attack.t1069.002 logsource: product: windows - service: process_creation + category: process_creation detection: selection: CommandLine|contains: diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 55659f9a0..9d36bc717 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,6 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 +modified: 2021/05/12 tags: - attack.command_and_control - attack.execution @@ -13,7 +14,7 @@ tags: - attack.t1218 logsource: product: windows - service: process_creation + category: process_creation detection: selection: ProcessCommandLine|contains|all: diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml index 61841f9bc..0b9558835 100644 --- a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -3,6 +3,7 @@ id: 460479f3-80b7-42da-9c43-2cc1d54dbccd description: Sysmon registry detection of a local hidden user account. status: experimental date: 2021/05/03 +modified: 2021/05/12 author: Christian Burkard tags: - attack.persistence @@ -11,7 +12,7 @@ references: - https://twitter.com/SBousseaden/status/1387530414185664538 logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index 5a0e5fb05..ea6a92f21 100644 --- a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|contains: '\Software\Sysinternals\SDelete'